Recently technical guidance was released for CIOs and CISOs on how to prepare for a ransomware attack. This guide was a joint effort of multiple Federal agencies to address the growing concern of ransomware. In, “How to protect your Networks from Ransomware,” they provide some suggestions for prevention and response. We have created a checklist below to help you based on their recommendations. You can review your current polices, procedures and plans to see if you are cover
What topics need to be covered in cybersecurity policies? In this post I will cover the required cybersecurity policies from various cybersecurity standards and in future posts I will cover cybersecurity procedures and cybersecurity related supporting documents. The table below lists items or topics, that should be address either in an overall cybersecurity policy or in individual policies. This list is based on NIST standards including the Risk Management Framework, Cyberse
Some standards like PCI and NIST require policies that cover specific topics. Sometimes you will see a requirement for a policy and procedure around a given topic, and other times you will see a requirement that says “policy and procedures.” People often get hung up on the terms “policy” and “procedure,” and confuse the two. Here are some of the top questions I get about policies, procedures, and plans.
Do I have to use the specific terms policy, procedure, or plan?
People often ask for advice regarding information security or cybersecurity policies. For the remainder of this article, I will use cybersecurity and information security interchangeably. Nearly always it is a loaded question, exactly what do they mean by policy? Cybersecurity documentation for organizations comes in many levels and is influenced by a number of internal and external sources. Within an organization, there may be four levels of cybersecurity documentation.
Here is a sample high-level cybersecurity policy for a city, district, or county. It is designed to be a high-level statement adopted by city council, supervisors, or board of directors and leave detailed policies and procedure at a lower level. The reason is detailed policy and procedure may need to change regularly and there is no reason to continuingly go back to council or board for detail changes. It is appropriate for department heads to accept the risks to their oper
Microsoft has released Compliance Manager for general availability this week. The feature was made available in Public Preview in November 2017, (see MC125028). According to Microsoft, “Compliance Manager is a cross-Microsoft-cloud services feature designed to help organizations meet complex compliance obligations, including GDPR, ISO 27001, ISO 27018, NIST 800-53, and HIPAA.” To access the feature, you can log in to the Service Trust Portal at https://servicetrust.microsof
"That's not the way things work in government." This is the catch all excuse for not doing what needs to be done in the government. The Federal Government has had issues with cybersecurity for years. Recent news indicates that the outlook for the Federal government is not progressing. Having worked for the Federal Government and other government agencies, I think they are their own worst enemies. The bureaucracy created to secure systems has replace the intent and purpose
NIST is Proud to Announce the Release of Special Publication 800-179, Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist. This Special Publication has been approved as final.
Link to the Announcement of this SP’s release (CSRC News page):
Link to Special Publication 800-179 (PDF format) from the NIST Library website:
TU RMF Roles and Responsibilities (Part 1) People are a critical factor in any cyber security imitative. In this session we will cover the roles and responsibilities defined by NIST for the Risk Management Framework (RMF). This is third in a series on NIST’s Risk Management Framework (RMF). This session covers topics in (ISC)2 CAP certification, FISMA, Certification and Accreditation, DIACAP, and DIARMF. #CAP #Cybersecurity #RMF #ISC2 #NIST #FISMA
TU Building and Maintaining a Successful RMF Program
Starting or maintaining an effective and efficient risk management program (RMF) is key for success. Cybersecurity challenges often take time away from this key aspect of implantation. This is second in a series on NIST’s Risk Management Framework (RMF). This session covers topics in (ISC)2 CAP certification, FISMA, DIACAP and DIARMF. #RMF #TU #RiskManagement #NIST #FISMA #Cybersecurity #CAP #ISC2